baresip: tls: accept error: no shared cipher

I’m using baresip v3.1.0 to connect to my Twilio account. I can place calls from baresip successfully, but when I receive a call, I see the following error message:

tls: accept error: (r=-1, ssl_err=1) tls: 139931151087424:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:…/ssl/statem/statem_srvr.c:2283:

After seeing this announcement from Twilio, I’ve upgraded the openssl library to the latest one (3.1.0) like this:

(this is from my Dockerfile)

    RUN git clone -b v3.1.0 --single-branch https://github.com/baresip/baresip.git && \
        cd baresip && \
        cmake -B build -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER=clang-11 \
            -DCMAKE_CXX_COMPILER=clang++-11 -DCMAKE_INSTALL_PREFIX=/usr -DOPENSSL_ROOT_DIR=/install/openssl/openssl-3.1.0

But to no avail. I still get the same error, so I suspect there something else wrong.

Do you have any idea where I should be looking?

This is my baresip config file:

#
# baresip configuration -- example for linux
#

#------------------------------------------------------------------------------

# Core
poll_method		epoll		# poll, select, epoll ..

# SIP
#sip_listen		0.0.0.0:5060
#sip_certificate	cert.pem
#sip_cafile		/etc/ssl/certs/ca-certificates.crt
sip_transports		tls 
#udp,tcp,tls,ws,wss
#sip_trans_def		udp
sip_verify_server	no
#sip_tos			160 # See TOS fields!

## TOS fields ##
#    7     6     5     4     3     2     1     0
# +-----+-----+-----+-----+-----+-----+-----+-----+
# |   PRECEDENCE    |          TOS          | MBZ |
# +-----+-----+-----+-----+-----+-----+-----+-----+
# TOS:
# bit 4 - low delay
# bit 3 - high throughput
# bit 2 - high reliability
# bit 1 - low cost
# MBZ:
# bit 0 - zero

# Call
call_local_timeout	120
call_max_calls		4
call_hold_other_calls	yes

# Audio
#audio_path		/usr/share/baresip
audio_player		pulse
audio_source		pulse
audio_alert		pulse,speaker
#ausrc_srate		48000
#auplay_srate		48000
#ausrc_channels		0
#auplay_channels	0
#audio_txmode		poll		# poll, thread
audio_level		no
ausrc_format		s16		# s16, float, ..
auplay_format		s16		# s16, float, ..
auenc_format		s16		# s16, float, ..
audec_format		s16		# s16, float, ..
audio_buffer		20-160		# ms
audio_telev_pt		101		# payload type for telephone-event

# Video
#video_source		v4l2,/dev/video0
#video_display		x11,nil
video_size		640x480
video_bitrate		1000000
video_fps		30.00
video_fullscreen	yes
videnc_format		yuv420p

# AVT - Audio/Video Transport
rtp_tos			184
rtp_video_tos		136
#rtp_ports		10000-20000
#rtp_bandwidth		512-1024 # [kbit/s]
rtcp_mux		no
jitter_buffer_type	fixed		# off, fixed, adaptive
jitter_buffer_delay	5-10		# frames
#jitter_buffer_wish	6		# frames for start
rtp_stats		no
#rtp_timeout		60

# Network
#dns_server		1.1.1.1:53
#dns_server		1.0.0.1:53
#dns_fallback		8.8.8.8:53
#net_interface		eth0
# Play tones
#file_ausrc		aufile
#file_srate		16000
#file_channels		1

#------------------------------------------------------------------------------
# Modules

module_path		/usr/lib/x86_64-linux-gnu/baresip/modules

# UI Modules
module			stdio.so
#module			cons.so
#module			evdev.so
#module			httpd.so

# Audio codec Modules (in order)
module			opus.so
#module			amr.so
#module			g7221.so
#module			g722.so
#module			g726.so
#module			g711.so
#module			gsm.so
#module			l16.so
#module			mpa.so
#module			codec2.so
#module			ilbc.so

# Audio filter Modules (in encoding order)
module			auconv.so
module			auresamp.so
#module			vumeter.so
#module			sndfile.so
#module			plc.so
#module			webrtc_aec.so

# Audio driver Modules
#module			alsa.so
module			pulse.so
#module			jack.so
#module			portaudio.so
#module			aubridge.so
#module			aufile.so
#module			ausine.so

# Video codec Modules (in order)
#module			avcodec.so
#module			vp8.so
#module			vp9.so

# Video filter Modules (in encoding order)
#module			selfview.so
#module			snapshot.so
#module			swscale.so
#module			vidinfo.so
#module			avfilter.so

# Video source modules
#module			v4l2.so
#module			vidbridge.so

# Video display modules
#module			directfb.so
#module			x11.so
#module			sdl.so
#module			fakevideo.so

# Audio/Video source modules
#module			avformat.so
#module			gst.so
#module			gst_video.so

# Compatibility modules
#module			ebuacip.so
module			uuid.so

# Media NAT modules
module			stun.so
module			turn.so
module			ice.so
#module			natpmp.so
#module			pcp.so

# Media encryption modules
module			srtp.so
#module			dtls_srtp.so
#module			zrtp.so


#------------------------------------------------------------------------------
# Application Modules

module_app		account.so
#module_app		contact.so
#module_app		debug_cmd.so
#module_app		echo.so
#module_app		gtk.so
module_app		menu.so
#module_app		mwi.so
#module_app		presence.so
#module_app		serreg.so
#module_app		syslog.so
module_app		mqtt.so
#module_app		ctrl_tcp.so
#module_app		ctrl_dbus.so
#module_app		httpreq.so
#module_app		multicast.so
module_app		netroam.so


#------------------------------------------------------------------------------
# Module parameters

# DTLS SRTP parameters
#dtls_srtp_use_ec	prime256v1

# UI Modules parameters
cons_listen		0.0.0.0:5555 # cons - Console UI UDP/TCP sockets

http_listen		0.0.0.0:8000 # httpd - HTTP Server

ctrl_tcp_listen		0.0.0.0:4444 # ctrl_tcp - TCP interface JSON

evdev_device		/dev/input/event0

# Opus codec parameters
opus_bitrate		48000 # 6000-510000
opus_stereo		yes
#opus_sprop_stereo	yes
#opus_cbr		no
#opus_inbandfec		no
#opus_dtx		no
#opus_mirror		no
#opus_complexity	10
#opus_application	audio	# {voip,audio}
opus_samplerate	48000
#opus_packet_loss	10	# 0-100 percent (expected packet loss)

# Opus Multistream codec parameters
#opus_ms_channels	2	#total channels (2 or 4)
#opus_ms_streams	2	#number of streams
#opus_ms_c_streams	2	#number of coupled streams

vumeter_stderr		yes

#jack_connect_ports	yes

# Selfview
video_selfview		window # {window,pip}
#selfview_size		64x64

# ZRTP
#zrtp_hash		no  # Disable SDP zrtp-hash (not recommended)

# Menu
#redial_attempts	0 # Num or <inf>
#redial_delay		5 # Delay in seconds
#ringback_disabled	no
#statmode_default	off
#menu_clean_number	no
#sip_autoanswer_method	rfc5373 # {rfc5373,call-info,alert-info}
#ring_aufile		ring.wav
#callwaiting_aufile	callwaiting.wav
#ringback_aufile	ringback.wav
#notfound_aufile	notfound.wav
#busy_aufile		busy.wav
#error_aufile		error.wav
#sip_autoanswer_aufile	autoanswer.wav

# GTK
#gtk_clean_number	no

# avcodec
#avcodec_h264enc	libx264
#avcodec_h264dec	h264
#avcodec_h265enc	libx265
#avcodec_h265dec	hevc
#avcodec_hwaccel	vaapi
#avcodec_profile_level_id 42002a

# ctrl_dbus
#ctrl_dbus_use	system		# system, session

# mqtt
#mqtt_broker_host	sollentuna.example.com
#mqtt_broker_port	1883
#mqtt_broker_cafile	/path/to/broker-ca.crt	# set this to enforce TLS
#mqtt_broker_clientid	baresip01	# has to be unique
#mqtt_broker_user	user
#mqtt_broker_password	pass
#mqtt_basetopic		baresip/01

# sndfile
#snd_path		/tmp

# EBU ACIP
#ebuacip_jb_type	fixed	# auto,fixed

# HTTP request module
#httpreq_ca		trusted1.pem
#httpreq_ca		trusted2.pem
#httpreq_dns		1.1.1.1
#httpreq_dns		8.8.8.8
#httpreq_hostname	myserver
#httpreq_cert		cert.pem
#httpreq_key		key.pem

# multicast receivers (in priority order)- port number must be even
#multicast_call_prio	0
#multicast_ttl		1
#multicast_jbuf_type	fixed		# off, fixed, adaptive
#multicast_jbuf_delay	5-10		# frames
#multicast_jbuf_wish	6		# frames for start
#multicast_listener	224.0.2.21:50000
#multicast_listener	224.0.2.21:50002

# avformat
#avformat_pass_through	yes

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 24 (17 by maintainers)

Most upvoted comments

Try the same with TCP transport and capture the SIP traffic, view and analyse in wireshark!

I need a bit more time to do this.

+1
copiltembel on Jun 12, 2023

10:27:27.889|ua: sipsess connect via TLS 54.172.60.1:5061 --> <<<MY_PUBLIC_STATIC_IP4>>>:42614

The first incoming SIP INVITE is sent to port 42614. I guess this is the TCP src port of the SIP REGISTER. So like @alfredh wrote, the TCP connection of the REGISTER is re-used by twilio.

You wrote that there is a second incoming INVITE. And in the log we see that tls_accept() is called and fails. This means that baresip has now the role of an TLS server. This happens if the remote (twilio) needs to open a new TCP+TLS connection. A TLS server is normally verified. That’s why baresip would need a TLS certificate.

The question is why twilio does not re-use the TCP+TLS connection of the REGISTER?

Normally I would say: Most likely the TCP connection for the REGISTER was closed already. But you configured:

  • The registration interval regint very short, to 600 seconds.
  • You configured sipnat=outbound;outbound=.... This enables the registration keepalive mechanism, if the SIP server supports the “outbound” extension.

So in your case maybe the keepalive mechanism is not started because the response to the REGISTER has no Require: outbound header and twilio has very short TCP timeouts.

+1
cspiel1 on Jun 12, 2023

You could enable the key logger in re. Then you are able to few the tcpdump in wireshark.

cd re
mkdir build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DTRACE_SSL=/tmp/ssl.key

You need to load /tmp/ssl.key into wireshark: Edit - Preferences - Protocols - TLS In the field for “(Pre)-Master-Secret log filename” put /tmp/ssl.key

Also start baresip with option -v!

Even more interesting WARNINGs you get if you increase DEBUG_LEVEL to 6 in re/src/tls/openssl/tls.c. See function tls_verify_handler()!

+1
cspiel1 on Jun 7, 2023
Read more comments on GitHub
← baresip: Remote Control: Missing explicit UA and call selection for commands
re: re build failure - hmac.c:74:31: error: invalid application of 'sizeof' to an incomplete type 'HMAC_CTX' →